Security impact of lmtpd with pre-auth

Nikolaus Rath Nikolaus at rath.org
Wed Jul 8 18:48:49 EDT 2009 

Andrew Morgan <morgan at orst.edu> writes:
> On Wed, 8 Jul 2009, Pascal Gienger wrote:
>
>> Nikolaus Rath schrieb:
>>> Hello,
>>>
>>> Apparently (http://wiki.exim.org/CyrusImap) I need to let lmtpd accept
>>> connections from localhost as pre-authenticated to make cyrus and exim
>>> work nicely together.
>>>
>>> Can someone explain what this actually means security wise? I.e. what
>>> could a malicious user on localhost do with a pre-authed connection?
>>
>> He can put/deliver mail in whatever mailbox.

But unless I have some exotic filtering and/or rate limiting configured,
he can do exactly the same thing by connecting to localhost:smtp, or
invoking sendmail directy, can't he? So why the additional protection
for lmtp?

>> The other side: If you have a "malicious unix user" on your Cyrus Box,
>> you'll have a bunch of another problems, far aside from delivering mails
>> to every mailbox...

Of course.

>> Delivering mails from localhost to localhost via lmtp with
>> authentication has the problem that the sending side does need to now
>> the credential. If the sending side knows that credential, a "malicious
>> user" does have access to it because the sending side is on the same
>> box, the same container, ...
>
> For an entertaining read (which also contains instructions on configuring 
> exim to do lmtp auth):
>
>    http://lkcl.net/reports/cyrus-configs/SIMPLEHOWTO.txt
>
> The author has some wonderful comments about software and managers.  :)

Seems to be offline right now. But I'll check it out again later.

> Pascal is right though - you may end up with the lmtp auth password stored 
> in plaintext in a config file that end users can read.  Still, lmtp auth 
> is probably a smarter way to go than pre-auth.  You may be able to make 
> the necessary exim config file not readable by your users.  I'm not that 
> familiar with exim myself.

Keeping the password secret from users isn't the problem. But for some
reason exim does not do authentication when checking if a
user/mailbox-name is valid (and if I turn off the verification, I end up
with thousands of undeliverable mails in my spool that exim accepted but
cannot deliver to cyrus).

So I really have to stick with pre-auth. I was just curious what exactly
I'm getting into with that.

Best,

   -Nikolaus

-- 
 »Time flies like an arrow, fruit flies like a Banana.«

  PGP fingerprint: 5B93 61F8 4EA2 E279 ABF6  02CF A9AD B7F8 AE4E 425C

More information about the Info-cyrus mailing list